main

Security hole found in Linux

Daniel Fleshbourne   on 19 March 2003 - 19:54 · 13 comments & 683 views

Advertisement (Why?)
Programmers disclosed a security hole this week in a part of the heart of the Linux operating system that could let users of a machine take it over even if they don't have privileges to do so. The vulnerability affects both the 2.2 and 2.4 series of Linux kernels, the core of the operating system, said Alan Cox, one of the key deputies of Linux founder Linus Torvalds in the programming community that collectively produces Linux. Those kernels are at the center of several Linux products released recently from companies such as Red Hat and SuSE.

The problem could let "local" computer users--those with permission to log on to a machine--to gain "root" access and take complete control of the machine, Cox said. Such local vulnerabilities are considered less severe than remote ones that let attackers over a network take over a machine even if they don't have a basic user account on it.

The problem affected the "ptrace" component of Linux, which is used to help find bugs in software.

Download: Updated 2.4 kernel fixes vulnerability
View: Security Advisory
News source: c|net


How many beta builds of Windows Server 2003 have there been?
The development team creates a new build each night, and at checkpoints creates interim builds that are made available to beta testers. Beta 1, Beta 2, Beta 3, RC1 and RC2 are the key development milestones.

How many beta testers were there for Windows Server 2003?
Nearly 300,000 customers, partners, OEMs, developers and other testers had access to the beta releases, beginning with Beta 2.

What product line does Windows Server 2003 follow?
Windows Server 2003 is the best upgrade for Windows 2000 Server and Windows NT4 customers. The next product to follow Windows Server 2003 will be Blackcomb.

What's the current timeline for the first service Pack for Windows Server 2003?
This information is not yet available.

What flavors of Windows Server 2003 are there?
There are currently four editions of Windows Server 2003: Web Edition, Standard Edition, Enterprise Edition and Datacenter Edition. The Enterprise and Datacenter Editions will be available in both 32- and 64-bit versions.

Does Microsoft support Windows Server 2003 when modified as per Neowin Workstation Guide?
Windows Server 2003 is a server product.

Share this Article

About the Author

Full name: Daniel Fleshbourne
User name: Daniel
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

Post a comment · Send to friend Comments · There are 13 additional comments
(3 replies) #1 Hills420 on 19 Mar 2003 - 20:16
...notice how fast a fix was made availible....
#1.1 OrangeSoul on 19 Mar 2003 - 20:24
notice that when there is a windows flaw, its first reported in news for everyone to exploit, then people wait for a fix, not the other way around
#1.2 OrangeSoul on 19 Mar 2003 - 20:27
.
#1.3 KvalCom on 19 Mar 2003 - 22:06
[neoquote=#1.0 by Hills420]...notice how fast a fix was made availible....[/neoquote] And notice that Microsoft usually has their fixes out BEFORE the vulnerabilities actually hit! It's the system admins that fail to apply the security patches. It appears that both OS's are quick to fix.
#2 realmccoy on 19 Mar 2003 - 21:06
Man that was a fast fix!!!
#3 tuxracer on 19 Mar 2003 - 21:10
"notice that when there is a windows flaw, its first reported in news for everyone to exploit, then people wait for a fix, not the other way around" Actually every exploit I have seen, with the excpection of this one, has been first reported to public via one of the kernel maintainers themselfs, or via a site such as bugtraq. I'm not even sure that this one is an exception. I just haven't looked into it. I have noticed that when bugs for Linux do become public they are generally fixed very quickly. Meanwhile, Microsoft is too busy whining about the last exploit found in their software being published to fix it. This is esspecially true with Internet Explorer. If you keep an eye on [URL=http://www.pivx.com/larholm/unpatched/]this[/URL] list, you will notice that it takes Microsoft months to release a fix to known exploits. In fact there are currently 14 known exploits for Internet Explorer as we speak that have yet to be fixed or patched (e.g. you are just SOL, if you use IE that is). Hell many of the exploits were published over a year ago, and have yet to be fixed . The last known Mozilla exploit was patched in less than a day .
(2 replies) #4 dr3w2k3 on 19 Mar 2003 - 21:46
I don't see in the article where it says WHEN the flaw was actually discovered. They only say when the patch became available. Seems that the open source community tends to hide the flaws until they have a fix and then come out and say "Oh ya, by the way, we found this flaw but we already have a patch for it". I'm not saying that is the wrong way to do it...in fact it is better becuase it doesn't give hackers time to exploit the flaws. It just sounds like Linux is getting more credit than they should.
#4.1 CheeseCow on 19 Mar 2003 - 22:05
[neoquote=#4.0 by dr3w2k3]I don't see in the article where it says WHEN the flaw was actually discovered. They only say when the patch became available. Seems that the open source community tends to hide the flaws until they have a fix and then come out and say "Oh ya, by the way, we found this flaw but we already have a patch for it". I'm not saying that is the wrong way to do it...in fact it is better becuase it doesn't give hackers time to exploit the flaws. It just sounds like Linux is getting more credit than they should.[/neoquote] OMG, you just don't get it. If you really care about these things, you can read the kernel mailing lists, or the new bugtracking system. It is 100% open, because most of the conversation between the kernel hackers are in public areas. To most users, they will hear about it when the patch is out, and that is to get some noise around it so they actually patch their software. Most people are too lazy to update, be it Win or Lin, and therefore coverage on neowin.net is very welcome. Thanks, neowin.
#4.2 Rambo2000 on 20 Mar 2003 - 13:46
They can't really hide the flaws as it's a open OS, and I agree that I tend to notice that when they find a flaw in Linux, they tend to fix it very fast where with Microsoft and windows, they tend to take days to like a week, shows that Linux is moving faster.
#5 Chicane-UK on 19 Mar 2003 - 23:06
Its worth mentioning that there are patches available against the 2.4.20 source code, and that the security patch should be included as part of 2.4.21.. whenever it gets released.
(1 reply) #6 DsnBehind on 20 Mar 2003 - 07:46
See: Linux has holes, too!
#6.1 Rambo2000 on 20 Mar 2003 - 13:48
Everything has holes, there will never be a 100% secure OS because it's built by us humans and we make mistakes, that and because if we know how to build it, we know how to crack it, so there will never be 100% secure software in anything.
#7 Espectro on 20 Mar 2003 - 20:49
yeah linux has holes, like everything else, but: -Since source is available, fixes are easier. -Most of the bugs found are with older versions of software. This kernel bug is an exception -The bug allows a LOCAL user to get superuser rights, like deleting a file not in your home dir , kinda like every windows 9x system lets you

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.879) © 2000 - 2008 Neowin.net